(no subject)

[bt () delfi lt]

Hi!

There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is vulnerable in other HP-UX versions, too, 
since "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00" is installed in HP-UX 11.0 by default.

/usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull exploitation, local user could get these 
priviledges.

Example of on simple buffer overflow in kermit :
$ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`"
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Segmentation fault (core dumped)

There are more kermit commands that are unchecked of correct parameter length: askq,define, assign, getc. Several of 
them use the same vulnerable function "doask". I am SURE that these are not all vulnerabilities in kermit.

one more thing (I am not sure if it is exploitable,but anyway):
[/home/xxxxxxxxxx] C-Kermit>set alarm %:%:%
Floating point exception (core dumped)

Solution - take off setuid bits form /usr/bin/kermit.
 
In my opinion, patching kermit against these(and maybe many more) vulnerabilities is not an option, since source of 
C-kermit 6.0.192 is publicly available, and it is very buggy. 

I tried to contact security-alert () hp com, but i got error message "Client host rejected: Access denied" (spam?).

Bye,

bt () delfi lt
<--------------------===========================-------------------->
Meiles zinutes sirdies damai ar riteriui: siusk MEILE numeriu 1325.
Jei siunti draugui, po zodzio MEILE nurodyk jo mob. telefono numeri.
Zinutes kaina 1 Lt.  http://sms.delfi.lt/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html